from the lying-liars dept

Just a few days ago, the Privacy and Civil Liberties Oversight Board (PCLOB) more or less gave a pass to the Section 702 surveillance program by the NSA (approved by Section 702 of the FISA Amendments Act). This is the program that combines PRISM (basically court orders to internet companies for content) and Upstream (tapping fiber backbone to sniff basically all traffic) to collect communications (not just metadata) of "targets." For years, we've pointed out that the NSA defines "targets" differently than most everyone else does -- and people in the know, like Senator Ron Wyden, have been trying to warn us that the NSA defines "targets" in a manner that allows the NSA to spy on the communications of a very, very large number of innocent people. The PCLOB more or less admitted that they didn't actually see the details of what the NSA collected, but a newly analyzed trove of documents from Ed Snowden reveals the truth. While the program may actually be useful in discovering terrorist plots, it also appears to collect a ridiculous amount of data on people who clearly are not targets, and the NSA is incredibly lax about purging the database (so-called "minimization") of that unrelated information.

This latest report, written by Barton Gellman and Ashkan Soltani at the Washington Post, is important for a number of different reasons. First is that, for quite some time now, NSA insiders have insisted that while Snowden had access to papers and reports about the various surveillance programs, he never actually had access to the actual contents of the surveillance databases. That was clearly a lie. As the article notes:

As recently as May, shortly after he retired as NSA director, Gen. Keith Alexander denied that Snowden could have passed FISA content to journalists.

And, of course, Snowden-haters have regularly mocked the claim he made in his very first interview that "I, sitting at my desk, certainly had the authorities to wiretap anyone, from you, or your accountant, to a federal judge, to even the President if I had a personal email." Many had used the fact that no such "FISA data" had been revealed, or even alluded to, as proof that Snowden was talking bigger than his actual position and supposedly, as an "IT guy," he didn't really have access to the same info that analysts could access. It is now clear that those people were lying. Snowden clearly had access to that data, and gave a sample to Gellman.

Snowden said he did not need to circumvent those controls, because his final position as a contractor for Booz Allen at the NSA’s Hawaii operations center gave him “unusually broad, unescorted access to raw SIGINT [signals intelligence] under a special ‘Dual Authorities’ role,” a reference to Section 702 for domestic collection and Executive Order 12333 for collection overseas. Those credentials, he said, allowed him to search stored content — and “task” new collection — without prior approval of his search terms.

Of course, this makes it all the more concerning that the NSA has admitted it still has no idea what Snowden took. For all the talk of how carefully these programs are audited, can the NSA legitimately expect anyone to believe that others -- perhaps those with more nefarious intent -- haven't made off with the same kinds of content? The NSA (1) has admitted it doesn't know what Snowden took and (2) insisted he didn't have access to this data. Now that it's been proven he did have access to this data and gave it to journalists, it seems pretty damn clear that the NSA has no idea if anyone else took that same data as well -- or if they have been abusing the same access for more nefarious purposes (espionage, blackmail, you name it).

Meanwhile, the very same NSA attackers who insisted that Snowden didn't have access to the surveillance database have immediately ignored their old statements and now re-spun this story into how he was "reckless" in handling such sensitive data, Snowden explains that having a sample of this kind of data is incredibly important in letting the world know just how broad the 702 surveillance is:

In an interview, Snowden said “primary documents” offered the only path to a concrete debate about the costs and benefits of Section 702 surveillance. He did not favor public release of the full archive, he said, but he did not think a reporter could understand the programs “without being able to review some of that surveillance, both the justified and unjustified.”

Indeed, even for those of us who have been screaming loudly about how the NSA interpreted "target" differently than most people (including Congress) suspected, since long before Snowden leaked his documents, the detailed revelations here are eye opening about just how much information the NSA actually collects based on "targets."

Nine of 10 account holders... were not the intended surveillance targets but were caught in a net the agency had cast for somebody else.

Many of them were Americans. Nearly half of the surveillance files, a strikingly high proportion, contained names, e-mail addresses or other details that the NSA marked as belonging to U.S. citizens or residents. NSA analysts masked, or “minimized,” more than 65,000 such references to protect Americans’ privacy, but The Post found nearly 900 additional e-mail addresses, unmasked in the files, that could be strongly linked to U.S. citizens or U.S.residents.

And, frequently, the information that the NSA retained on clearly non-targeted individuals was quite revealing. Remember that this is the actual content of communications, not "just metadata" (that's a different program).

Many other files, described as useless by the analysts but nonetheless retained, have a startlingly intimate, even voyeuristic quality. They tell stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes. The daily lives of more than 10,000 account holders who were not targeted are catalogued and recorded nevertheless.

[....]

Scores of pictures show infants and toddlers in bathtubs, on swings, sprawled on their backs and kissed by their mothers. In some photos, men show off their physiques. In others, women model lingerie, leaning suggestively into a webcam or striking risque poses in shorts and bikini tops.

This sample cache shows pretty clearly that anything even remotely close to a loosely defined "target" (which could be a computer rather than a person) gets collected and stored:

If a target entered an online chat room, the NSA collected the words and identities of every person who posted there, regardless of subject, as well as every person who simply “lurked,” reading passively what other people wrote.

“1 target, 38 others on there,” one analyst wrote. She collected data on them all.

In other cases, the NSA designated as its target the Internet protocol, or IP, address of a computer server used by hundreds of people.

You may recall that, all the way back in 2011, we were reporting on Senators Ron Wyden and Mark Udall asking James Clapper how many Americans were being spied upon under Section 702 of the FISA Amendments Act and being told it was impossible to estimate such a number. Here, Gellman and Soltani use what they've found in the cache to give the estimate that the NSA/ODNI would not:

The NSA, backed by Director of National Intelligence James R. Clapper Jr., has asserted that it is unable to make any estimate, even in classified form, of the number of Americans swept in. It is not obvious why the NSA could not offer at least a partial count, given that its analysts routinely pick out “U.S. persons” and mask their identities, in most cases, before distributing intelligence reports.

If Snowden’s sample is representative, the population under scrutiny in the PRISM and Upstream programs is far larger than the government has suggested. In a June 26 “transparency report,” the Office of the Director of National Intelligence disclosed that 89,138 people were targets of last year’s collection under FISA Section 702. At the 9-to-1 ratio of incidental collection in Snowden’s sample, the office’s figure would correspond to nearly 900,000 accounts, targeted or not, under surveillance.

The report also highlights the cavalier attitude by NSA analysts in determining what to keep and what to "minimize." Section 702 certainly gave the NSA a lot more leeway to spy on Americans, and NSA analysts are making quite a lot of use of that leeway.

In their classified internal communications, colleagues and supervisors often remind the analysts that PRISM and Upstream collection have a “lower threshold for foreignness ‘standard of proof’ ” than a traditional surveillance warrant from a FISA judge, requiring only a “reasonable belief” and not probable cause.

One analyst rests her claim that a target is foreign on the fact that his e-mails are written in a foreign language, a quality shared by tens of millions of Americans. Others are allowed to presume that anyone on the chat “buddy list” of a known foreign national is also foreign.

Basically, it appears that if an analyst can come up with any reason they can justify claiming someone is "foreign," they can use it, even if they know the person is actually a US person. And because the NSA knows they have much greater power to spy under Section 702, they often shift investigations over to put them under this authority since they can get away with more:

In an ordinary FISA surveillance application, the judge grants a warrant and requires a fresh review of probable cause — and the content of collected surveillance — every 90 days. When renewal fails, NSA and allied analysts sometimes switch to the more lenient standards of PRISM and Upstream.

“These selectors were previously under FISA warrant but the warrants have expired,” one analyst writes, requesting that surveillance resume under the looser standards of Section 702. The request was granted.

The report is quite damning in revealing two things that the NSA has tried to hide: First, Snowden clearly had widespread access to the surveillance database content, despite strong claims that he did not. Second, that the database includes a ton of information on people not "targeted" and that such information outweighs info on targets by a factor of 9 to 1.

from the because-that-matters-too dept

We've been arguing about why the tech industry should be furious and a hell of a lot more vocal about the NSA's spying. One of the big issues is that it's leading to tremendous trust issues with anyone using US-based internet services. In an age where so many internet companies are looking at a global audience, these revelations put them at a significant disadvantage. And, unfortunately, in most of the discussions about all of this spying, the focus has been mainly on whether or not the actions by the NSA have been targeted at US persons. This is important -- because the nature of FISA is that it's supposed to limit NSA activities on US persons -- and there's basically no limit towards what it can do when it comes to non-US persons. That's the nature of the law (and the fact that non-US persons aren't actually under the jurisdiction of the US Constitution in the first place). But that's the legal side of things, not the practical realities. We shouldn't just assume that the issue of spying on non-US persons can be ignored as "perfectly legal." For companies, it can be a complete disaster if non-US persons won't use their services.

Thus, it's good to see that when a group of prominent US technologists, academics and activists sent a letter to the NSA Review Group, that (beyond some other key points) includes a discussion of how the impact on non-US persons should not be ignored:

Part of the Review Group's charge is to evaluate the extent to which the NSA surveillance programs respect "our commitment to privacy and civil liberties." In an increasingly global information environment, these commitments undoubtedly extend to non-U.S. persons. The United Nation's Human Rights Council has resolved that, "the same rights that people have offline must also be protected online." If U.S. providers of services must ignore the rights of non-U.S. persons due to domestic surveillance obligations, the free flow of information that Internet activities depend upon will stagnate. On the contrary, if jurisdictions accept -- as the United States does at the UN -- that all users have some rights to privacy regardless of a user's location, this sets a necessary condition for people of the world to feel comfortable engaging in cross-border Internet activities, upon which the promise of a global connected society rests.

While I doubt any review, or even any legislative attempt to roll back the NSA's efforts will address this, it's going to become an increasingly important issue. At the very least, it seems like the tech industry should be addressing this head on, rather than letting the NSA and the intelligence community set the frame for the debate.